General Provisions

Article 1: Object and Purpose

The purpose of this statement is to:

  1. secure the right to privacy of AEGEE members and other individuals, with regard to the gathering and processing of personal data relating to them, including processing by its Ordinary Members and third parties;
  2. protect all data owned by AEGEE-Europe, including information about its work and its members.

Article 2: Scope

AEGEE-Europe is responsible for ensuring the correct application of this statement to the processing of data from all individuals. This includes, but it not limited to, members, partners, and participants to events, activities and projects.

This statement extends to all instances of collecting, storing, and processing of personal data by AEGEE-Europe, including usage of your data on our website, online membership system, for communications such as through email, and all other instances where your data is utilised.

This statement also applies to all other data owned by AEGEE-Europe, especially data labelled as confidential.

Article 3: Definitions

For the purposes of this statement, the following expressions shall have the meaning hereunder assigned to them:

  • Data subject is any natural person, including the members of AEGEE Locals or Contacts;
  • Personal data is any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal data includes sensitive data, such as those consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, diet or data concerning a natural person’s sex life or sexual orientation;
  • Processing means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • Consent means any freely given specific and informed indication of the wishes by which the data subject signifies their agreement to personal data relating to them being processed;
  • Controller means any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  • Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. Public authorities which may receive personal data in the framework of a particular inquiry in accordance with European Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
  • Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
  • Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
  • Supervisory authority means an independent public authority which is established by a Member State pursuant to Art. 51 of the General Data Protection Regulation (GDPR);
  • Suspension means blocking access to services provided by AEGEE-Europe, not including those services provided by the AEGEE Local the data subject is a member of;
  • Anonymous statistical data is information collected on a categorical basis (by survey from data subjects, or from AEGEE databases) in terms of the design of survey in such a way way that the further reconstruction of the information about the data subject is not possible;
  • External data is information which emphasises the aim, purposes of the Association and its work, available and open for all interested parties;
  • Internal data is information about the Association and its work which can be accessed only by AEGEE members;
  • Confidential data is information about the Association and its work which can be accessed only by certain number of AEGEE members, due to a position in the Association they hold;
  • Personal data breach means breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Basic principles for data protection

Article 4: Levels of protection of the data

Having in mind best practices and aiming to guarantee due usage and corresponding levels of secrecy, all the information of the Association shall be divided into:

  • external data or data accessible for all;
  • internal data or data accessible only for AEGEE members and subject to exceptions granted by the Data Privacy Commission (DPC);
  • confidential data or data accessible only for certain AEGEE members holding official positions in the Association and responsible for information which they deal with and/or have access to for as long their term lasts.

The DPC shall publish a list of the data according to the division stated above.

Changes to the list as defined above can be proposed to the DPC or, when vacant, the responsible CD member and must be ratified by the Autumn Agora. The DPC or responsible CD member shall present all proposed changes, accepted or rejected, to the Autumn Agora.

Article 5: Data communication tools and data storage tools

All the data about the Association and its work shall be only stored and presented through certain tools meant for storing and spreading information accordingly.

The DPC shall comprise a list of these communication tools and a list of data storage tools according to the levels of protection the data communicated or stored on the respective medium requires. Possible use of encryption or safety requirements shall be indicated in the list. These lists shall be updated at least once a year and ratified by the Autumn Agora.

To obtain a status of a communication and/or storage tool of the Association, a formal request shall be sent to the DPC. The DPC shall decide on the matter and send its reply within 2 weeks after the request is received. If the DPC will not respond to the permission request within two weeks from the request, it will be considered as rejected.

Storing information on any other devices or locations that are not included in the list requires an exception granted by the DPC.

At the end of the term of elected and appointed AEGEE-Europe officials, all confidential data that was stored on their personal storage devices should be removed. A copy may be kept on storage devices of AEGEE-Europe that are only accessible to those as defined in the data storage tools list.

At any time, any AEGEE member can request AEGEE-Europe to provide information about the storage and use of their personal data. Within the confidentiality limits set out in Article 4, AEGEE-Europe shall provide the fullest possible account of this data within 30 days.

Article 6: Principles relating to processing of personal data

Personal data undergoing processing shall be:

  1. obtained and processed fairly and lawfully;
  2. stored for specified and legitimate purposes and not used in a way incompatible with those purposes;
  3. adequate, relevant and not excessive in relation to the purposes for which they are stored;
  4. accurate and, where necessary, kept up to date; keeping in mind the obligation of individual members to update their data to the current situation as defined in Article 6 paragraph 3;
  5. preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored.

Article 7: Data security

AEGEE-Europe is responsible for the application of adequate technical and organisational security measures related to the processing of personal data.

AEGEE-Europe uses personal data of each data subject only for those purposes defined in the present statement.

In cases the DPC deems it necessary, the processing responsible persons have to sign a non-disclosure agreement with the Comité Directeur before they are granted access to the databases.

Rules for handling and storing of personal data

Article 8: Rights and obligations of data subjects

A data subject has the right to request all its personal data that is stored.

Data subjects should obligatorily define the next kind of personal data:

  • real name/surname;
  • email;
  • AEGEE Local/Contact;
  • year and date of birth;
  • nationality;
  • field of studies;
  • gender.

The Comité Directeur may request extra personal data like home address or social network/messenger identifiers. Those extra data will always be provided on an optional basis.

A data subject has the right to withdraw the permission to store their personal data. This will result in suspension. For the coherence of the anonymous statistical data, the following non-identifiable data cannot be withdrawn: AEGEE Local/Contact, year of birth, nationality, field of studies, gender.

Data subjects are obliged to keep their data up to date and make the needed changes when necessary.

In any case when a data subject or a group of data subjects holds probable that their data is not stored or processed in accordance to the provisions of the present statement, they may request an enquiry by the DPC. The DPC will give a binding verdict within two weeks after the initial request was made and after contacting both parties. The verdict of the DPC is final. In case the DPC holds probable that an ordinary member of AEGEE-Europe does not comply with the provisions of the present statement and/or applicable law, the DPC shall issue specific recommendations to the ordinary member to ensure their compliance. If the DPC holds probable that the implementation of the recommendations is insufficient, the Mediation Commission shall be activated to take disciplinary actions against an ordinary member in accordance with the Statutes of AEGEE-Europe as a possible outcome.

Article 9: General rules of data processing

Data is collected for specified, explicit and legitimate purposes and is not further processed without the prior data subject’s consent.

Certain personal data may be published online in a system open to AEGEE members only in case the data subject gives its specific consent.

The DPC:

  1. composes an internally available list of appointed or elected officials who have access to confidential data;
  2. defines together with the Comité Directeur the optional scope of data which AEGEE would like to gather from data subjects by subscription or other means.

In case there are no members in the DPC, the Comité Directeur takes over the tasks as described above.

Regarding activities and events organised by AEGEE-Europe and its ordinary members:

  1. the information concerning the data subject mentioned in Article 8 paragraph 2 is also used in order to confirm their AEGEE membership, for participation in any kind of AEGEE activities;
  2. with the purpose of the organisation of different kinds of AEGEE activities, any other subsidiary or extra data can be requested by the Organiser of the current activity;
  3. this information given by the data subject, with specific consent, is used only according to the purposes and aims of the current activity and is valid only within such activity.
  4. Personal data disclosed to ordinary members by AEGEE-Europe, for events or other purposed, shall be processed according to the GDPR. If any ordinary member becomes aware of a data breach of personal data obtained from AEGEE-Europe or through AEGEE-Europe’s systems, it will notify AEGEE-Europe of the incident promptly and take reasonable steps to minimise harm and secure personal data. The form of the notification is to be as prescribed in Article 11 of the present statement.

Regarding activities in cooperation with AEGEE:

  1. in order to apply and take participation in joint activities with third parties not bound by the Convention d’Adhésion, the data subject shall give its consent for the usage of the required data according to the provisions of the present Article;
  2. the personal data shall be used only within the current external activity;
  3. in case of a joint activity with a third party not bound by the Convention d’Adhésion, an agreement will be made on how the personal data will be handled and it will be accessible to the data subject.

Article 10: Commercial usage of data

AEGEE-Europe will not give personal data to third parties, unless the involved data subjects give their specific and one-time consent.

The Comité Directeur may disclose anonymous statistical data about the data subjects to third parties in order to gain profit from this. The DPC must give permission to do so. If the DPC will not respond to the permission request within two weeks from the initial request, it will be considered as rejected.

The Comité Directeur may send advertisements by third parties to specific data subjects (e.g. Law or Engineering students) of AEGEE.

To minimise inconvenience, data subjects can only receive up to ten commercial messages a year. The DPC shall be notified in advance.

Each data subject has the right to refuse to get any kind of such advertisements.

Final clauses

Article 11: Liabilities

Access to the data can be forced by court decision. AEGEE-Europe will fully cooperate with the legal authorities in order to fulfil the decision of the court.

AEGEE-Europe shall do its utmost best to protect the subject’s data.

AEGEE-Europe shall not be responsible for unauthorised access outside its control, including, but not limited to, hacking, theft of hardware and eavesdropping.

In the case of a personal data breach where AEGEE-Europe is the controller of the breached personal data, AEGEE-Europe shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. In cases where AEGEE-Europe operates as the processor of the personal data, the controllers (e.g. Locals, partners, other parties) of this should be immediately notified. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

The notification shall at least:

  1. describe the nature of the data breach (what, how and how much data);
  2. communicate the name and contact information of the organ where more information can be obtained;
  3. describe the likely consequences of the data breach;
  4. describe the measures taken to minimise the consequences of the breach as well as to prevent another such situation in the future.

Article 12: Data breach response for cases not involving personal data

In any case when a member holds that the data of AEGEE-Europe is not stored or processed in accordance with the provisions of the present statement, they must report this incident to the DPC. The DPC will give a binding verdict within a month after the initial report was made and after contacting all relevant parties. The verdict of the DPC is final. In case the DPC holds probable that an ordinary member of AEGEE-Europe does not comply with the provisions of the ordinary member to ensure their compliance. If the DPC holds probable that the implementation of the recommendations is insufficient, the Mediation Commission shall be activated to take disciplinary actions against an ordinary member in accordance with the Statutes of AEGEE-Europe as a possible outcome.

Article 13: Applicable law

Any processing of personal data of which AEGEE-Europe is the controller is governed by Belgian law.

Any actions of the ordinary members, located within the European Economic Area or countries recognised by the European Commission as countries ensuring an adequate level of data protection, is governed by the law of the respective national government.

Any ordinary member located outside the European Economic Area, in a country not recognised by the European Commission as ensuring an adequate level of protection, shall be subject to separate binding rules approved by the supervisory authority, before any personal data is disclosed.

Article 14: Amendments and special procedures

Amendments to this statement can be made by the Agora only with a qualified majority of votes.

For cases not regulated, the Comité Directeur may act outside its competence provided it gets permission from the DPC to do so. If the DPC will not respond to the permission request within two weeks from the request, it will be considered as rejected.